2020-09-27 15:29:33 +02:00
|
|
|
|
//! Cross-Origin Resource Sharing (CORS) controls for Actix web.
|
2020-07-03 18:56:46 +02:00
|
|
|
|
//!
|
|
|
|
|
|
//! This middleware can be applied to both applications and resources.
|
|
|
|
|
|
//! Once built, [`CorsFactory`](struct.CorsFactory.html) can be used as a
|
|
|
|
|
|
//! parameter for actix-web `App::wrap()`, `Resource::wrap()` or
|
|
|
|
|
|
//! `Scope::wrap()` methods.
|
2018-01-10 08:55:42 +01:00
|
|
|
|
//!
|
2020-07-03 18:56:46 +02:00
|
|
|
|
//! This CORS middleware automatically handles `OPTIONS` preflight requests.
|
2018-01-10 08:55:42 +01:00
|
|
|
|
//!
|
|
|
|
|
|
//! # Example
|
|
|
|
|
|
//!
|
2020-07-03 18:56:46 +02:00
|
|
|
|
//! In this example a custom CORS middleware is registered for the
|
|
|
|
|
|
//! "/index.html" endpoint.
|
|
|
|
|
|
//!
|
2018-01-10 08:55:42 +01:00
|
|
|
|
//! ```rust
|
2019-06-15 05:34:16 +02:00
|
|
|
|
//! use actix_cors::Cors;
|
2019-03-24 05:29:16 +01:00
|
|
|
|
//! use actix_web::{http, web, App, HttpRequest, HttpResponse, HttpServer};
|
2018-01-10 08:55:42 +01:00
|
|
|
|
//!
|
2019-11-22 06:49:35 +01:00
|
|
|
|
//! async fn index(req: HttpRequest) -> &'static str {
|
2018-06-01 18:37:14 +02:00
|
|
|
|
//! "Hello world"
|
2018-01-10 08:55:42 +01:00
|
|
|
|
//! }
|
|
|
|
|
|
//!
|
2019-03-24 05:29:16 +01:00
|
|
|
|
//! fn main() -> std::io::Result<()> {
|
|
|
|
|
|
//! HttpServer::new(|| App::new()
|
2019-03-25 21:02:10 +01:00
|
|
|
|
//! .wrap(
|
2019-03-24 05:29:16 +01:00
|
|
|
|
//! Cors::new() // <- Construct CORS middleware builder
|
|
|
|
|
|
//! .allowed_origin("https://www.rust-lang.org/")
|
2020-09-25 01:36:53 +02:00
|
|
|
|
//! .allowed_origin_fn(|req| {
|
|
|
|
|
|
//! req.headers
|
|
|
|
|
|
//! .get(http::header::ORIGIN)
|
|
|
|
|
|
//! .map(http::HeaderValue::as_bytes)
|
|
|
|
|
|
//! .filter(|b| b.ends_with(b".rust-lang.org"))
|
|
|
|
|
|
//! .is_some()
|
|
|
|
|
|
//! })
|
2019-03-24 05:29:16 +01:00
|
|
|
|
//! .allowed_methods(vec!["GET", "POST"])
|
|
|
|
|
|
//! .allowed_headers(vec![http::header::AUTHORIZATION, http::header::ACCEPT])
|
|
|
|
|
|
//! .allowed_header(http::header::CONTENT_TYPE)
|
2019-11-21 05:54:07 +01:00
|
|
|
|
//! .max_age(3600)
|
|
|
|
|
|
//! .finish())
|
2019-03-24 05:29:16 +01:00
|
|
|
|
//! .service(
|
|
|
|
|
|
//! web::resource("/index.html")
|
|
|
|
|
|
//! .route(web::get().to(index))
|
|
|
|
|
|
//! .route(web::head().to(|| HttpResponse::MethodNotAllowed()))
|
|
|
|
|
|
//! ))
|
|
|
|
|
|
//! .bind("127.0.0.1:8080")?;
|
|
|
|
|
|
//!
|
|
|
|
|
|
//! Ok(())
|
2018-01-10 08:55:42 +01:00
|
|
|
|
//! }
|
|
|
|
|
|
//! ```
|
2020-07-03 18:56:46 +02:00
|
|
|
|
|
|
|
|
|
|
#![allow(clippy::borrow_interior_mutable_const, clippy::type_complexity)]
|
2020-09-11 17:26:15 +02:00
|
|
|
|
#![deny(missing_docs, missing_debug_implementations, rust_2018_idioms)]
|
2020-07-03 18:56:46 +02:00
|
|
|
|
|
2018-01-10 07:33:51 +01:00
|
|
|
|
use std::collections::HashSet;
|
2020-09-26 21:02:45 +02:00
|
|
|
|
use std::convert::TryInto;
|
2020-09-25 01:36:53 +02:00
|
|
|
|
use std::fmt;
|
2018-01-10 22:41:33 +01:00
|
|
|
|
use std::iter::FromIterator;
|
2018-04-09 23:20:12 +02:00
|
|
|
|
use std::rc::Rc;
|
2019-11-21 05:54:07 +01:00
|
|
|
|
use std::task::{Context, Poll};
|
2018-01-10 07:33:51 +01:00
|
|
|
|
|
2019-11-21 05:54:07 +01:00
|
|
|
|
use actix_service::{Service, Transform};
|
2019-06-15 05:34:16 +02:00
|
|
|
|
use actix_web::dev::{RequestHead, ServiceRequest, ServiceResponse};
|
|
|
|
|
|
use actix_web::error::{Error, ResponseError, Result};
|
|
|
|
|
|
use actix_web::http::header::{self, HeaderName, HeaderValue};
|
2019-12-05 18:35:43 +01:00
|
|
|
|
use actix_web::http::{self, Error as HttpError, Method, StatusCode, Uri};
|
2019-06-15 05:34:16 +02:00
|
|
|
|
use actix_web::HttpResponse;
|
2019-03-24 05:29:16 +01:00
|
|
|
|
use derive_more::Display;
|
2020-03-11 21:43:48 +01:00
|
|
|
|
use futures_util::future::{ok, Either, FutureExt, LocalBoxFuture, Ready};
|
2018-01-10 07:33:51 +01:00
|
|
|
|
|
2020-07-03 18:56:46 +02:00
|
|
|
|
/// A set of errors that can occur as a result of processing CORS.
|
2019-03-24 05:29:16 +01:00
|
|
|
|
#[derive(Debug, Display)]
|
2018-01-10 23:20:00 +01:00
|
|
|
|
pub enum CorsError {
|
2018-01-10 07:33:51 +01:00
|
|
|
|
/// The HTTP request header `Origin` is required but was not provided
|
2019-03-24 05:29:16 +01:00
|
|
|
|
#[display(
|
|
|
|
|
|
fmt = "The HTTP request header `Origin` is required but was not provided"
|
2018-04-29 07:55:47 +02:00
|
|
|
|
)]
|
2018-01-10 07:33:51 +01:00
|
|
|
|
MissingOrigin,
|
|
|
|
|
|
/// The HTTP request header `Origin` could not be parsed correctly.
|
2019-03-24 05:29:16 +01:00
|
|
|
|
#[display(fmt = "The HTTP request header `Origin` could not be parsed correctly.")]
|
2018-01-10 07:33:51 +01:00
|
|
|
|
BadOrigin,
|
2018-04-14 01:02:01 +02:00
|
|
|
|
/// The request header `Access-Control-Request-Method` is required but is
|
|
|
|
|
|
/// missing
|
2019-03-24 05:29:16 +01:00
|
|
|
|
#[display(
|
|
|
|
|
|
fmt = "The request header `Access-Control-Request-Method` is required but is missing"
|
2018-04-29 07:55:47 +02:00
|
|
|
|
)]
|
2018-01-10 07:33:51 +01:00
|
|
|
|
MissingRequestMethod,
|
|
|
|
|
|
/// The request header `Access-Control-Request-Method` has an invalid value
|
2019-03-24 05:29:16 +01:00
|
|
|
|
#[display(
|
|
|
|
|
|
fmt = "The request header `Access-Control-Request-Method` has an invalid value"
|
2018-04-29 07:55:47 +02:00
|
|
|
|
)]
|
2018-01-10 07:33:51 +01:00
|
|
|
|
BadRequestMethod,
|
2018-04-14 01:02:01 +02:00
|
|
|
|
/// The request header `Access-Control-Request-Headers` has an invalid
|
|
|
|
|
|
/// value
|
2019-03-24 05:29:16 +01:00
|
|
|
|
#[display(
|
|
|
|
|
|
fmt = "The request header `Access-Control-Request-Headers` has an invalid value"
|
2018-04-29 07:55:47 +02:00
|
|
|
|
)]
|
2018-01-10 08:55:42 +01:00
|
|
|
|
BadRequestHeaders,
|
2018-01-10 07:33:51 +01:00
|
|
|
|
/// Origin is not allowed to make this request
|
2019-03-24 05:29:16 +01:00
|
|
|
|
#[display(fmt = "Origin is not allowed to make this request")]
|
2018-01-10 07:33:51 +01:00
|
|
|
|
OriginNotAllowed,
|
|
|
|
|
|
/// Requested method is not allowed
|
2019-03-24 05:29:16 +01:00
|
|
|
|
#[display(fmt = "Requested method is not allowed")]
|
2018-01-10 07:33:51 +01:00
|
|
|
|
MethodNotAllowed,
|
|
|
|
|
|
/// One or more headers requested are not allowed
|
2019-03-24 05:29:16 +01:00
|
|
|
|
#[display(fmt = "One or more headers requested are not allowed")]
|
2018-01-10 07:33:51 +01:00
|
|
|
|
HeadersNotAllowed,
|
2018-01-10 22:41:33 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
2018-01-10 23:20:00 +01:00
|
|
|
|
impl ResponseError for CorsError {
|
2019-11-26 11:07:39 +01:00
|
|
|
|
fn status_code(&self) -> StatusCode {
|
|
|
|
|
|
StatusCode::BAD_REQUEST
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-01-10 07:33:51 +01:00
|
|
|
|
fn error_response(&self) -> HttpResponse {
|
2019-03-24 05:29:16 +01:00
|
|
|
|
HttpResponse::with_body(StatusCode::BAD_REQUEST, format!("{}", self).into())
|
2018-01-10 07:33:51 +01:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-04-14 01:02:01 +02:00
|
|
|
|
/// An enum signifying that some of type T is allowed, or `All` (everything is
|
|
|
|
|
|
/// allowed).
|
2018-01-10 07:33:51 +01:00
|
|
|
|
///
|
|
|
|
|
|
/// `Default` is implemented for this enum and is `All`.
|
|
|
|
|
|
#[derive(Clone, Debug, Eq, PartialEq)]
|
|
|
|
|
|
pub enum AllOrSome<T> {
|
|
|
|
|
|
/// Everything is allowed. Usually equivalent to the "*" value.
|
|
|
|
|
|
All,
|
|
|
|
|
|
/// Only some of `T` is allowed
|
|
|
|
|
|
Some(T),
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
impl<T> Default for AllOrSome<T> {
|
|
|
|
|
|
fn default() -> Self {
|
|
|
|
|
|
AllOrSome::All
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
impl<T> AllOrSome<T> {
|
|
|
|
|
|
/// Returns whether this is an `All` variant
|
|
|
|
|
|
pub fn is_all(&self) -> bool {
|
|
|
|
|
|
match *self {
|
|
|
|
|
|
AllOrSome::All => true,
|
|
|
|
|
|
AllOrSome::Some(_) => false,
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Returns whether this is a `Some` variant
|
|
|
|
|
|
pub fn is_some(&self) -> bool {
|
|
|
|
|
|
!self.is_all()
|
|
|
|
|
|
}
|
2018-01-10 08:55:42 +01:00
|
|
|
|
|
|
|
|
|
|
/// Returns &T
|
|
|
|
|
|
pub fn as_ref(&self) -> Option<&T> {
|
|
|
|
|
|
match *self {
|
|
|
|
|
|
AllOrSome::All => None,
|
|
|
|
|
|
AllOrSome::Some(ref t) => Some(t),
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2018-01-10 07:33:51 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
2020-07-03 18:56:46 +02:00
|
|
|
|
/// Builder for `CorsFactory` middleware.
|
2018-01-10 07:33:51 +01:00
|
|
|
|
///
|
2020-07-03 18:56:46 +02:00
|
|
|
|
/// To construct a [`CorsFactory`](struct.CorsFactory.html):
|
2018-01-10 07:33:51 +01:00
|
|
|
|
///
|
2020-07-03 18:56:46 +02:00
|
|
|
|
/// 1. Call [`Cors::new()`](struct.Cors.html#method.new) to start building.
|
|
|
|
|
|
/// 2. Use any of the builder methods to customize CORS behavior.
|
|
|
|
|
|
/// 3. Call [`finish()`](struct.Cors.html#method.finish) to retrieve the
|
|
|
|
|
|
/// middleware.
|
2018-01-10 07:33:51 +01:00
|
|
|
|
///
|
|
|
|
|
|
/// # Example
|
|
|
|
|
|
///
|
|
|
|
|
|
/// ```rust
|
2019-06-15 05:34:16 +02:00
|
|
|
|
/// use actix_cors::Cors;
|
2019-03-24 05:29:16 +01:00
|
|
|
|
/// use actix_web::http::header;
|
2018-01-10 07:33:51 +01:00
|
|
|
|
///
|
2019-06-15 05:34:16 +02:00
|
|
|
|
/// let cors = Cors::new()
|
2020-07-03 18:56:46 +02:00
|
|
|
|
/// .allowed_origin("https://www.rust-lang.org")
|
2018-01-10 07:33:51 +01:00
|
|
|
|
/// .allowed_methods(vec!["GET", "POST"])
|
|
|
|
|
|
/// .allowed_headers(vec![header::AUTHORIZATION, header::ACCEPT])
|
|
|
|
|
|
/// .allowed_header(header::CONTENT_TYPE)
|
2019-03-24 05:29:16 +01:00
|
|
|
|
/// .max_age(3600);
|
2018-01-10 07:33:51 +01:00
|
|
|
|
/// ```
|
2020-07-03 18:56:46 +02:00
|
|
|
|
#[derive(Debug, Default)]
|
2019-03-24 05:29:16 +01:00
|
|
|
|
pub struct Cors {
|
2018-04-09 23:20:12 +02:00
|
|
|
|
cors: Option<Inner>,
|
2018-01-10 07:33:51 +01:00
|
|
|
|
methods: bool,
|
|
|
|
|
|
error: Option<http::Error>,
|
2018-01-10 22:41:33 +01:00
|
|
|
|
expose_hdrs: HashSet<HeaderName>,
|
2018-01-10 07:33:51 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
2019-03-24 05:29:16 +01:00
|
|
|
|
impl Cors {
|
2020-07-03 18:56:46 +02:00
|
|
|
|
/// Return a new builder.
|
2019-03-24 05:29:16 +01:00
|
|
|
|
pub fn new() -> Cors {
|
|
|
|
|
|
Cors {
|
|
|
|
|
|
cors: Some(Inner {
|
|
|
|
|
|
origins: AllOrSome::All,
|
|
|
|
|
|
origins_str: None,
|
2020-09-25 01:36:53 +02:00
|
|
|
|
origins_fns: Vec::new(),
|
2019-03-24 05:29:16 +01:00
|
|
|
|
methods: HashSet::new(),
|
|
|
|
|
|
headers: AllOrSome::All,
|
|
|
|
|
|
expose_hdrs: None,
|
|
|
|
|
|
max_age: None,
|
|
|
|
|
|
preflight: true,
|
|
|
|
|
|
send_wildcard: false,
|
|
|
|
|
|
supports_credentials: false,
|
|
|
|
|
|
vary_header: true,
|
|
|
|
|
|
}),
|
|
|
|
|
|
methods: false,
|
|
|
|
|
|
error: None,
|
|
|
|
|
|
expose_hdrs: HashSet::new(),
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2020-07-03 18:56:46 +02:00
|
|
|
|
/// Build a CORS middleware with default settings.
|
2019-03-24 05:29:16 +01:00
|
|
|
|
pub fn default() -> CorsFactory {
|
|
|
|
|
|
let inner = Inner {
|
|
|
|
|
|
origins: AllOrSome::default(),
|
|
|
|
|
|
origins_str: None,
|
2020-09-25 01:36:53 +02:00
|
|
|
|
origins_fns: Vec::new(),
|
2019-03-24 05:29:16 +01:00
|
|
|
|
methods: HashSet::from_iter(
|
|
|
|
|
|
vec![
|
|
|
|
|
|
Method::GET,
|
|
|
|
|
|
Method::HEAD,
|
|
|
|
|
|
Method::POST,
|
|
|
|
|
|
Method::OPTIONS,
|
|
|
|
|
|
Method::PUT,
|
|
|
|
|
|
Method::PATCH,
|
|
|
|
|
|
Method::DELETE,
|
|
|
|
|
|
]
|
|
|
|
|
|
.into_iter(),
|
|
|
|
|
|
),
|
|
|
|
|
|
headers: AllOrSome::All,
|
|
|
|
|
|
expose_hdrs: None,
|
|
|
|
|
|
max_age: None,
|
|
|
|
|
|
preflight: true,
|
|
|
|
|
|
send_wildcard: false,
|
|
|
|
|
|
supports_credentials: false,
|
|
|
|
|
|
vary_header: true,
|
|
|
|
|
|
};
|
|
|
|
|
|
CorsFactory {
|
|
|
|
|
|
inner: Rc::new(inner),
|
|
|
|
|
|
}
|
2018-01-10 07:33:51 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
2020-07-03 18:56:46 +02:00
|
|
|
|
/// Add an origin that is allowed to make requests.
|
2018-01-10 07:33:51 +01:00
|
|
|
|
///
|
2020-07-03 18:56:46 +02:00
|
|
|
|
/// By default, requests from all origins are accepted by CORS logic.
|
|
|
|
|
|
/// This method allows to specify a finite set of origins to verify the
|
|
|
|
|
|
/// value of the `Origin` request header.
|
2018-01-10 07:33:51 +01:00
|
|
|
|
///
|
|
|
|
|
|
/// This is the `list of origins` in the
|
|
|
|
|
|
/// [Resource Processing Model](https://www.w3.org/TR/cors/#resource-processing-model).
|
|
|
|
|
|
///
|
2020-07-03 18:56:46 +02:00
|
|
|
|
/// When this list is set, the client's `Origin` request header will be
|
|
|
|
|
|
/// checked in a case-sensitive manner.
|
|
|
|
|
|
///
|
|
|
|
|
|
/// When all origins are allowed and `send_wildcard` is set, "*" will be
|
|
|
|
|
|
/// sent in the `Access-Control-Allow-Origin` response header.
|
|
|
|
|
|
/// If `send_wildcard` is not set, the client's `Origin` request header
|
|
|
|
|
|
/// will be echoed back in the `Access-Control-Allow-Origin` response header.
|
2018-04-09 23:20:12 +02:00
|
|
|
|
///
|
2020-09-25 01:36:53 +02:00
|
|
|
|
/// If the origin of the request doesn't match any allowed origins and at least
|
|
|
|
|
|
/// one `allowed_origin_fn` function is set, these functions will be used
|
|
|
|
|
|
/// to determinate allowed origins.
|
|
|
|
|
|
///
|
2018-04-09 23:20:12 +02:00
|
|
|
|
/// Builder panics if supplied origin is not valid uri.
|
2019-03-24 05:29:16 +01:00
|
|
|
|
pub fn allowed_origin(mut self, origin: &str) -> Cors {
|
2018-01-10 07:33:51 +01:00
|
|
|
|
if let Some(cors) = cors(&mut self.cors, &self.error) {
|
2020-09-26 21:02:45 +02:00
|
|
|
|
match TryInto::<Uri>::try_into(origin) {
|
2018-01-12 05:11:34 +01:00
|
|
|
|
Ok(_) => {
|
2018-01-10 07:33:51 +01:00
|
|
|
|
if cors.origins.is_all() {
|
|
|
|
|
|
cors.origins = AllOrSome::Some(HashSet::new());
|
|
|
|
|
|
}
|
|
|
|
|
|
if let AllOrSome::Some(ref mut origins) = cors.origins {
|
2018-01-12 05:11:34 +01:00
|
|
|
|
origins.insert(origin.to_owned());
|
2018-01-10 07:33:51 +01:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
Err(e) => {
|
|
|
|
|
|
self.error = Some(e.into());
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
self
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2020-09-25 01:36:53 +02:00
|
|
|
|
/// Determinate allowed origins by processing requests which didn't match any origins
|
|
|
|
|
|
/// specified in the `allowed_origin`.
|
|
|
|
|
|
///
|
|
|
|
|
|
/// The function will receive a `RequestHead` of each request, which can be used
|
|
|
|
|
|
/// to determine whether it should be allowed or not.
|
|
|
|
|
|
///
|
|
|
|
|
|
/// If the function returns `true`, the client's `Origin` request header will be echoed
|
|
|
|
|
|
/// back into the `Access-Control-Allow-Origin` response header.
|
2020-10-07 12:29:20 +02:00
|
|
|
|
pub fn allowed_origin_fn<F>(mut self, f: F) -> Cors
|
|
|
|
|
|
where
|
|
|
|
|
|
F: (Fn(&RequestHead) -> bool) + 'static,
|
|
|
|
|
|
{
|
2020-09-25 01:36:53 +02:00
|
|
|
|
if let Some(cors) = cors(&mut self.cors, &self.error) {
|
2020-10-07 12:29:20 +02:00
|
|
|
|
cors.origins_fns.push(OriginFn {
|
|
|
|
|
|
boxed_fn: Box::new(f),
|
|
|
|
|
|
});
|
2020-09-25 01:36:53 +02:00
|
|
|
|
}
|
|
|
|
|
|
self
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2020-07-03 18:56:46 +02:00
|
|
|
|
/// Set a list of methods which allowed origins can perform.
|
2018-01-10 07:33:51 +01:00
|
|
|
|
///
|
|
|
|
|
|
/// This is the `list of methods` in the
|
|
|
|
|
|
/// [Resource Processing Model](https://www.w3.org/TR/cors/#resource-processing-model).
|
|
|
|
|
|
///
|
|
|
|
|
|
/// Defaults to `[GET, HEAD, POST, OPTIONS, PUT, PATCH, DELETE]`
|
2019-03-24 05:29:16 +01:00
|
|
|
|
pub fn allowed_methods<U, M>(mut self, methods: U) -> Cors
|
2018-04-14 01:02:01 +02:00
|
|
|
|
where
|
|
|
|
|
|
U: IntoIterator<Item = M>,
|
2020-09-26 21:02:45 +02:00
|
|
|
|
M: TryInto<Method>,
|
|
|
|
|
|
<M as TryInto<Method>>::Error: Into<HttpError>,
|
2018-01-10 07:33:51 +01:00
|
|
|
|
{
|
|
|
|
|
|
self.methods = true;
|
|
|
|
|
|
if let Some(cors) = cors(&mut self.cors, &self.error) {
|
2018-01-10 19:12:34 +01:00
|
|
|
|
for m in methods {
|
2020-09-26 21:02:45 +02:00
|
|
|
|
match m.try_into() {
|
2018-01-10 07:33:51 +01:00
|
|
|
|
Ok(method) => {
|
|
|
|
|
|
cors.methods.insert(method);
|
2018-04-14 01:02:01 +02:00
|
|
|
|
}
|
2018-01-10 07:33:51 +01:00
|
|
|
|
Err(e) => {
|
|
|
|
|
|
self.error = Some(e.into());
|
2018-04-14 01:02:01 +02:00
|
|
|
|
break;
|
2018-01-10 07:33:51 +01:00
|
|
|
|
}
|
|
|
|
|
|
}
|
2018-04-14 01:02:01 +02:00
|
|
|
|
}
|
2018-01-10 07:33:51 +01:00
|
|
|
|
}
|
|
|
|
|
|
self
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2020-07-03 18:56:46 +02:00
|
|
|
|
/// Set an allowed header.
|
2019-03-24 05:29:16 +01:00
|
|
|
|
pub fn allowed_header<H>(mut self, header: H) -> Cors
|
2018-04-14 01:02:01 +02:00
|
|
|
|
where
|
2020-09-26 21:02:45 +02:00
|
|
|
|
H: TryInto<HeaderName>,
|
|
|
|
|
|
<H as TryInto<HeaderName>>::Error: Into<HttpError>,
|
2018-01-10 07:33:51 +01:00
|
|
|
|
{
|
|
|
|
|
|
if let Some(cors) = cors(&mut self.cors, &self.error) {
|
2020-09-26 21:02:45 +02:00
|
|
|
|
match header.try_into() {
|
2018-01-10 07:33:51 +01:00
|
|
|
|
Ok(method) => {
|
|
|
|
|
|
if cors.headers.is_all() {
|
|
|
|
|
|
cors.headers = AllOrSome::Some(HashSet::new());
|
|
|
|
|
|
}
|
|
|
|
|
|
if let AllOrSome::Some(ref mut headers) = cors.headers {
|
|
|
|
|
|
headers.insert(method);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
Err(e) => self.error = Some(e.into()),
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
self
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Set a list of header field names which can be used when
|
|
|
|
|
|
/// this resource is accessed by allowed origins.
|
|
|
|
|
|
///
|
2018-04-14 01:02:01 +02:00
|
|
|
|
/// If `All` is set, whatever is requested by the client in
|
|
|
|
|
|
/// `Access-Control-Request-Headers` will be echoed back in the
|
|
|
|
|
|
/// `Access-Control-Allow-Headers` header.
|
2018-01-10 07:33:51 +01:00
|
|
|
|
///
|
|
|
|
|
|
/// This is the `list of headers` in the
|
|
|
|
|
|
/// [Resource Processing Model](https://www.w3.org/TR/cors/#resource-processing-model).
|
|
|
|
|
|
///
|
|
|
|
|
|
/// Defaults to `All`.
|
2019-03-24 05:29:16 +01:00
|
|
|
|
pub fn allowed_headers<U, H>(mut self, headers: U) -> Cors
|
2018-04-14 01:02:01 +02:00
|
|
|
|
where
|
|
|
|
|
|
U: IntoIterator<Item = H>,
|
2020-09-26 21:02:45 +02:00
|
|
|
|
H: TryInto<HeaderName>,
|
|
|
|
|
|
<H as TryInto<HeaderName>>::Error: Into<HttpError>,
|
2018-01-10 07:33:51 +01:00
|
|
|
|
{
|
|
|
|
|
|
if let Some(cors) = cors(&mut self.cors, &self.error) {
|
2018-01-10 19:12:34 +01:00
|
|
|
|
for h in headers {
|
2020-09-26 21:02:45 +02:00
|
|
|
|
match h.try_into() {
|
2018-01-10 07:33:51 +01:00
|
|
|
|
Ok(method) => {
|
|
|
|
|
|
if cors.headers.is_all() {
|
|
|
|
|
|
cors.headers = AllOrSome::Some(HashSet::new());
|
|
|
|
|
|
}
|
|
|
|
|
|
if let AllOrSome::Some(ref mut headers) = cors.headers {
|
|
|
|
|
|
headers.insert(method);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
Err(e) => {
|
|
|
|
|
|
self.error = Some(e.into());
|
2018-04-14 01:02:01 +02:00
|
|
|
|
break;
|
2018-01-10 07:33:51 +01:00
|
|
|
|
}
|
|
|
|
|
|
}
|
2018-04-14 01:02:01 +02:00
|
|
|
|
}
|
2018-01-10 07:33:51 +01:00
|
|
|
|
}
|
|
|
|
|
|
self
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-04-14 01:02:01 +02:00
|
|
|
|
/// Set a list of headers which are safe to expose to the API of a CORS API
|
|
|
|
|
|
/// specification. This corresponds to the
|
|
|
|
|
|
/// `Access-Control-Expose-Headers` response header.
|
2018-01-10 22:41:33 +01:00
|
|
|
|
///
|
|
|
|
|
|
/// This is the `list of exposed headers` in the
|
|
|
|
|
|
/// [Resource Processing Model](https://www.w3.org/TR/cors/#resource-processing-model).
|
|
|
|
|
|
///
|
|
|
|
|
|
/// This defaults to an empty set.
|
2019-03-24 05:29:16 +01:00
|
|
|
|
pub fn expose_headers<U, H>(mut self, headers: U) -> Cors
|
2018-04-14 01:02:01 +02:00
|
|
|
|
where
|
|
|
|
|
|
U: IntoIterator<Item = H>,
|
2020-09-26 21:02:45 +02:00
|
|
|
|
H: TryInto<HeaderName>,
|
|
|
|
|
|
<H as TryInto<HeaderName>>::Error: Into<HttpError>,
|
2018-01-10 22:41:33 +01:00
|
|
|
|
{
|
|
|
|
|
|
for h in headers {
|
2020-09-26 21:02:45 +02:00
|
|
|
|
match h.try_into() {
|
2018-01-10 22:41:33 +01:00
|
|
|
|
Ok(method) => {
|
|
|
|
|
|
self.expose_hdrs.insert(method);
|
2018-04-14 01:02:01 +02:00
|
|
|
|
}
|
2018-01-10 22:41:33 +01:00
|
|
|
|
Err(e) => {
|
|
|
|
|
|
self.error = Some(e.into());
|
2018-04-14 01:02:01 +02:00
|
|
|
|
break;
|
2018-01-10 22:41:33 +01:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
self
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-01-10 07:33:51 +01:00
|
|
|
|
/// Set a maximum time for which this CORS request maybe cached.
|
|
|
|
|
|
/// This value is set as the `Access-Control-Max-Age` header.
|
|
|
|
|
|
///
|
|
|
|
|
|
/// This defaults to `None` (unset).
|
2019-03-24 05:29:16 +01:00
|
|
|
|
pub fn max_age(mut self, max_age: usize) -> Cors {
|
2018-01-10 07:33:51 +01:00
|
|
|
|
if let Some(cors) = cors(&mut self.cors, &self.error) {
|
|
|
|
|
|
cors.max_age = Some(max_age)
|
|
|
|
|
|
}
|
|
|
|
|
|
self
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-01-10 08:55:42 +01:00
|
|
|
|
/// Set a wildcard origins
|
|
|
|
|
|
///
|
2018-04-14 01:02:01 +02:00
|
|
|
|
/// If send wildcard is set and the `allowed_origins` parameter is `All`, a
|
|
|
|
|
|
/// wildcard `Access-Control-Allow-Origin` response header is sent,
|
|
|
|
|
|
/// rather than the request’s `Origin` header.
|
2018-01-10 08:55:42 +01:00
|
|
|
|
///
|
|
|
|
|
|
/// This is the `supports credentials flag` in the
|
|
|
|
|
|
/// [Resource Processing Model](https://www.w3.org/TR/cors/#resource-processing-model).
|
|
|
|
|
|
///
|
2018-04-14 01:02:01 +02:00
|
|
|
|
/// This **CANNOT** be used in conjunction with `allowed_origins` set to
|
|
|
|
|
|
/// `All` and `allow_credentials` set to `true`. Depending on the mode
|
|
|
|
|
|
/// of usage, this will either result in an `Error::
|
|
|
|
|
|
/// CredentialsWithWildcardOrigin` error during actix launch or runtime.
|
2018-01-10 08:55:42 +01:00
|
|
|
|
///
|
|
|
|
|
|
/// Defaults to `false`.
|
2019-03-24 05:29:16 +01:00
|
|
|
|
pub fn send_wildcard(mut self) -> Cors {
|
2018-01-10 08:55:42 +01:00
|
|
|
|
if let Some(cors) = cors(&mut self.cors, &self.error) {
|
2018-01-10 22:41:33 +01:00
|
|
|
|
cors.send_wildcard = true
|
|
|
|
|
|
}
|
|
|
|
|
|
self
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// Allows users to make authenticated requests
|
|
|
|
|
|
///
|
2018-04-14 01:02:01 +02:00
|
|
|
|
/// If true, injects the `Access-Control-Allow-Credentials` header in
|
|
|
|
|
|
/// responses. This allows cookies and credentials to be submitted
|
|
|
|
|
|
/// across domains.
|
2018-01-10 22:41:33 +01:00
|
|
|
|
///
|
2018-04-14 01:02:01 +02:00
|
|
|
|
/// This option cannot be used in conjunction with an `allowed_origin` set
|
|
|
|
|
|
/// to `All` and `send_wildcards` set to `true`.
|
2018-01-10 22:41:33 +01:00
|
|
|
|
///
|
|
|
|
|
|
/// Defaults to `false`.
|
2018-04-09 23:20:12 +02:00
|
|
|
|
///
|
|
|
|
|
|
/// Builder panics if credentials are allowed, but the Origin is set to "*".
|
|
|
|
|
|
/// This is not allowed by W3C
|
2019-03-24 05:29:16 +01:00
|
|
|
|
pub fn supports_credentials(mut self) -> Cors {
|
2018-01-10 22:41:33 +01:00
|
|
|
|
if let Some(cors) = cors(&mut self.cors, &self.error) {
|
|
|
|
|
|
cors.supports_credentials = true
|
2018-01-10 08:55:42 +01:00
|
|
|
|
}
|
|
|
|
|
|
self
|
|
|
|
|
|
}
|
2018-01-10 22:41:33 +01:00
|
|
|
|
|
|
|
|
|
|
/// Disable `Vary` header support.
|
|
|
|
|
|
///
|
|
|
|
|
|
/// When enabled the header `Vary: Origin` will be returned as per the W3
|
|
|
|
|
|
/// implementation guidelines.
|
|
|
|
|
|
///
|
|
|
|
|
|
/// Setting this header when the `Access-Control-Allow-Origin` is
|
|
|
|
|
|
/// dynamically generated (e.g. when there is more than one allowed
|
|
|
|
|
|
/// origin, and an Origin than '*' is returned) informs CDNs and other
|
|
|
|
|
|
/// caches that the CORS headers are dynamic, and cannot be cached.
|
|
|
|
|
|
///
|
|
|
|
|
|
/// By default `vary` header support is enabled.
|
2019-03-24 05:29:16 +01:00
|
|
|
|
pub fn disable_vary_header(mut self) -> Cors {
|
2018-01-10 22:41:33 +01:00
|
|
|
|
if let Some(cors) = cors(&mut self.cors, &self.error) {
|
|
|
|
|
|
cors.vary_header = false
|
|
|
|
|
|
}
|
|
|
|
|
|
self
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2020-07-03 18:56:46 +02:00
|
|
|
|
/// Disable support for preflight requests.
|
2018-01-10 22:41:33 +01:00
|
|
|
|
///
|
2020-07-03 18:56:46 +02:00
|
|
|
|
/// When enabled CORS middleware automatically handles `OPTIONS` requests.
|
|
|
|
|
|
/// This is useful for application level middleware.
|
2018-01-10 22:41:33 +01:00
|
|
|
|
///
|
|
|
|
|
|
/// By default *preflight* support is enabled.
|
2019-03-24 05:29:16 +01:00
|
|
|
|
pub fn disable_preflight(mut self) -> Cors {
|
2018-01-10 22:41:33 +01:00
|
|
|
|
if let Some(cors) = cors(&mut self.cors, &self.error) {
|
|
|
|
|
|
cors.preflight = false
|
|
|
|
|
|
}
|
|
|
|
|
|
self
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2020-07-03 18:56:46 +02:00
|
|
|
|
/// Construct CORS middleware.
|
2019-11-21 05:54:07 +01:00
|
|
|
|
pub fn finish(self) -> CorsFactory {
|
2019-03-24 05:29:16 +01:00
|
|
|
|
let mut slf = if !self.methods {
|
2018-04-14 01:02:01 +02:00
|
|
|
|
self.allowed_methods(vec![
|
|
|
|
|
|
Method::GET,
|
|
|
|
|
|
Method::HEAD,
|
|
|
|
|
|
Method::POST,
|
|
|
|
|
|
Method::OPTIONS,
|
|
|
|
|
|
Method::PUT,
|
|
|
|
|
|
Method::PATCH,
|
|
|
|
|
|
Method::DELETE,
|
2019-03-24 05:29:16 +01:00
|
|
|
|
])
|
|
|
|
|
|
} else {
|
|
|
|
|
|
self
|
|
|
|
|
|
};
|
2018-01-10 07:33:51 +01:00
|
|
|
|
|
2019-03-24 05:29:16 +01:00
|
|
|
|
if let Some(e) = slf.error.take() {
|
2018-04-09 23:20:12 +02:00
|
|
|
|
panic!("{}", e);
|
2018-01-10 22:41:33 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
2019-03-24 05:29:16 +01:00
|
|
|
|
let mut cors = slf.cors.take().expect("cannot reuse CorsBuilder");
|
2018-01-10 22:41:33 +01:00
|
|
|
|
|
|
|
|
|
|
if cors.supports_credentials && cors.send_wildcard && cors.origins.is_all() {
|
2018-04-09 23:20:12 +02:00
|
|
|
|
panic!("Credentials are allowed, but the Origin is set to \"*\"");
|
2018-01-10 22:41:33 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if let AllOrSome::Some(ref origins) = cors.origins {
|
2018-04-29 18:09:08 +02:00
|
|
|
|
let s = origins
|
|
|
|
|
|
.iter()
|
2018-09-21 07:45:22 +02:00
|
|
|
|
.fold(String::new(), |s, v| format!("{}, {}", s, v));
|
2020-09-26 21:02:45 +02:00
|
|
|
|
cors.origins_str = Some(s[2..].try_into().unwrap());
|
2018-01-10 22:41:33 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
2019-03-24 05:29:16 +01:00
|
|
|
|
if !slf.expose_hdrs.is_empty() {
|
2018-01-10 22:41:33 +01:00
|
|
|
|
cors.expose_hdrs = Some(
|
2019-03-24 05:29:16 +01:00
|
|
|
|
slf.expose_hdrs
|
2018-08-23 18:48:01 +02:00
|
|
|
|
.iter()
|
2018-08-03 14:03:11 +02:00
|
|
|
|
.fold(String::new(), |s, v| format!("{}, {}", s, v.as_str()))[2..]
|
2018-08-23 18:48:01 +02:00
|
|
|
|
.to_owned(),
|
2018-04-14 01:02:01 +02:00
|
|
|
|
);
|
|
|
|
|
|
}
|
2019-03-24 05:29:16 +01:00
|
|
|
|
|
|
|
|
|
|
CorsFactory {
|
2018-04-14 01:02:01 +02:00
|
|
|
|
inner: Rc::new(cors),
|
2018-01-10 07:33:51 +01:00
|
|
|
|
}
|
2018-01-10 22:41:33 +01:00
|
|
|
|
}
|
2019-03-24 05:29:16 +01:00
|
|
|
|
}
|
2018-04-10 06:11:15 +02:00
|
|
|
|
|
2019-11-21 05:54:07 +01:00
|
|
|
|
fn cors<'a>(
|
|
|
|
|
|
parts: &'a mut Option<Inner>,
|
|
|
|
|
|
err: &Option<http::Error>,
|
|
|
|
|
|
) -> Option<&'a mut Inner> {
|
|
|
|
|
|
if err.is_some() {
|
|
|
|
|
|
return None;
|
|
|
|
|
|
}
|
|
|
|
|
|
parts.as_mut()
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2020-07-03 18:56:46 +02:00
|
|
|
|
/// Middleware for Cross-Origin Resource Sharing support.
|
2019-03-24 05:29:16 +01:00
|
|
|
|
///
|
2020-07-03 18:56:46 +02:00
|
|
|
|
/// This struct contains the settings for CORS requests to be validated and
|
2019-03-24 05:29:16 +01:00
|
|
|
|
/// for responses to be generated.
|
2020-07-03 18:56:46 +02:00
|
|
|
|
#[derive(Debug)]
|
2019-03-24 05:29:16 +01:00
|
|
|
|
pub struct CorsFactory {
|
|
|
|
|
|
inner: Rc<Inner>,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2019-04-13 23:50:54 +02:00
|
|
|
|
impl<S, B> Transform<S> for CorsFactory
|
2019-03-24 05:29:16 +01:00
|
|
|
|
where
|
2019-04-25 20:14:32 +02:00
|
|
|
|
S: Service<Request = ServiceRequest, Response = ServiceResponse<B>, Error = Error>,
|
2019-03-24 05:29:16 +01:00
|
|
|
|
S::Future: 'static,
|
|
|
|
|
|
B: 'static,
|
|
|
|
|
|
{
|
2019-04-13 23:50:54 +02:00
|
|
|
|
type Request = ServiceRequest;
|
2019-03-24 05:29:16 +01:00
|
|
|
|
type Response = ServiceResponse<B>;
|
2019-04-25 20:14:32 +02:00
|
|
|
|
type Error = Error;
|
2019-03-24 05:29:16 +01:00
|
|
|
|
type InitError = ();
|
|
|
|
|
|
type Transform = CorsMiddleware<S>;
|
2019-11-21 05:54:07 +01:00
|
|
|
|
type Future = Ready<Result<Self::Transform, Self::InitError>>;
|
2019-03-24 05:29:16 +01:00
|
|
|
|
|
|
|
|
|
|
fn new_transform(&self, service: S) -> Self::Future {
|
|
|
|
|
|
ok(CorsMiddleware {
|
|
|
|
|
|
service,
|
|
|
|
|
|
inner: self.inner.clone(),
|
|
|
|
|
|
})
|
2018-04-10 06:11:15 +02:00
|
|
|
|
}
|
2019-03-24 05:29:16 +01:00
|
|
|
|
}
|
2018-04-10 06:11:15 +02:00
|
|
|
|
|
2020-07-03 18:56:46 +02:00
|
|
|
|
/// Service wrapper for Cross-Origin Resource Sharing support.
|
2019-03-24 05:29:16 +01:00
|
|
|
|
///
|
2020-07-03 18:56:46 +02:00
|
|
|
|
/// This struct contains the settings for CORS requests to be validated and
|
2019-03-24 05:29:16 +01:00
|
|
|
|
/// for responses to be generated.
|
2020-07-03 18:56:46 +02:00
|
|
|
|
#[derive(Debug, Clone)]
|
2019-03-24 05:29:16 +01:00
|
|
|
|
pub struct CorsMiddleware<S> {
|
|
|
|
|
|
service: S,
|
|
|
|
|
|
inner: Rc<Inner>,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2020-09-25 01:36:53 +02:00
|
|
|
|
struct OriginFn {
|
2020-10-07 12:29:20 +02:00
|
|
|
|
boxed_fn: Box<dyn Fn(&RequestHead) -> bool>,
|
2020-09-25 01:36:53 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
impl fmt::Debug for OriginFn {
|
|
|
|
|
|
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
|
|
|
|
|
|
write!(f, "origin_fn")
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2020-07-03 18:56:46 +02:00
|
|
|
|
#[derive(Debug)]
|
2019-03-24 05:29:16 +01:00
|
|
|
|
struct Inner {
|
|
|
|
|
|
methods: HashSet<Method>,
|
|
|
|
|
|
origins: AllOrSome<HashSet<String>>,
|
2020-09-25 01:36:53 +02:00
|
|
|
|
origins_fns: Vec<OriginFn>,
|
2019-03-24 05:29:16 +01:00
|
|
|
|
origins_str: Option<HeaderValue>,
|
|
|
|
|
|
headers: AllOrSome<HashSet<HeaderName>>,
|
|
|
|
|
|
expose_hdrs: Option<String>,
|
|
|
|
|
|
max_age: Option<usize>,
|
|
|
|
|
|
preflight: bool,
|
|
|
|
|
|
send_wildcard: bool,
|
|
|
|
|
|
supports_credentials: bool,
|
|
|
|
|
|
vary_header: bool,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
impl Inner {
|
|
|
|
|
|
fn validate_origin(&self, req: &RequestHead) -> Result<(), CorsError> {
|
2019-04-07 00:02:02 +02:00
|
|
|
|
if let Some(hdr) = req.headers().get(&header::ORIGIN) {
|
2019-03-24 05:29:16 +01:00
|
|
|
|
if let Ok(origin) = hdr.to_str() {
|
|
|
|
|
|
return match self.origins {
|
|
|
|
|
|
AllOrSome::All => Ok(()),
|
|
|
|
|
|
AllOrSome::Some(ref allowed_origins) => allowed_origins
|
|
|
|
|
|
.get(origin)
|
2020-01-30 10:21:02 +01:00
|
|
|
|
.map(|_| ())
|
2020-09-25 01:36:53 +02:00
|
|
|
|
.or_else(|| {
|
|
|
|
|
|
if self.validate_origin_fns(req) {
|
|
|
|
|
|
Some(())
|
|
|
|
|
|
} else {
|
|
|
|
|
|
None
|
|
|
|
|
|
}
|
|
|
|
|
|
})
|
2020-09-12 01:52:55 +02:00
|
|
|
|
.ok_or(CorsError::OriginNotAllowed),
|
2019-03-24 05:29:16 +01:00
|
|
|
|
};
|
|
|
|
|
|
}
|
|
|
|
|
|
Err(CorsError::BadOrigin)
|
|
|
|
|
|
} else {
|
2019-07-17 11:48:37 +02:00
|
|
|
|
match self.origins {
|
2019-03-24 05:29:16 +01:00
|
|
|
|
AllOrSome::All => Ok(()),
|
|
|
|
|
|
_ => Err(CorsError::MissingOrigin),
|
2019-07-17 11:48:37 +02:00
|
|
|
|
}
|
2018-04-10 06:11:15 +02:00
|
|
|
|
}
|
2019-03-24 05:29:16 +01:00
|
|
|
|
}
|
2018-04-10 06:11:15 +02:00
|
|
|
|
|
2020-09-25 01:36:53 +02:00
|
|
|
|
fn validate_origin_fns(&self, req: &RequestHead) -> bool {
|
2020-10-07 12:29:20 +02:00
|
|
|
|
self.origins_fns
|
|
|
|
|
|
.iter()
|
|
|
|
|
|
.any(|origin_fn| (origin_fn.boxed_fn)(req))
|
2020-09-25 01:36:53 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
2019-03-24 05:29:16 +01:00
|
|
|
|
fn access_control_allow_origin(&self, req: &RequestHead) -> Option<HeaderValue> {
|
|
|
|
|
|
match self.origins {
|
|
|
|
|
|
AllOrSome::All => {
|
|
|
|
|
|
if self.send_wildcard {
|
|
|
|
|
|
Some(HeaderValue::from_static("*"))
|
2019-04-07 00:02:02 +02:00
|
|
|
|
} else if let Some(origin) = req.headers().get(&header::ORIGIN) {
|
2019-03-24 05:29:16 +01:00
|
|
|
|
Some(origin.clone())
|
|
|
|
|
|
} else {
|
|
|
|
|
|
None
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
AllOrSome::Some(ref origins) => {
|
|
|
|
|
|
if let Some(origin) =
|
|
|
|
|
|
req.headers()
|
2019-04-07 00:02:02 +02:00
|
|
|
|
.get(&header::ORIGIN)
|
2019-03-24 05:29:16 +01:00
|
|
|
|
.filter(|o| match o.to_str() {
|
|
|
|
|
|
Ok(os) => origins.contains(os),
|
|
|
|
|
|
_ => false,
|
|
|
|
|
|
})
|
|
|
|
|
|
{
|
|
|
|
|
|
Some(origin.clone())
|
2020-09-25 01:36:53 +02:00
|
|
|
|
} else if self.validate_origin_fns(req) {
|
|
|
|
|
|
Some(req.headers().get(&header::ORIGIN).unwrap().clone())
|
2019-03-24 05:29:16 +01:00
|
|
|
|
} else {
|
|
|
|
|
|
Some(self.origins_str.as_ref().unwrap().clone())
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2018-04-10 06:11:15 +02:00
|
|
|
|
|
2019-03-24 05:29:16 +01:00
|
|
|
|
fn validate_allowed_method(&self, req: &RequestHead) -> Result<(), CorsError> {
|
2019-04-07 00:02:02 +02:00
|
|
|
|
if let Some(hdr) = req.headers().get(&header::ACCESS_CONTROL_REQUEST_METHOD) {
|
2019-03-24 05:29:16 +01:00
|
|
|
|
if let Ok(meth) = hdr.to_str() {
|
2020-09-26 21:02:45 +02:00
|
|
|
|
if let Ok(method) = meth.try_into() {
|
2019-03-24 05:29:16 +01:00
|
|
|
|
return self
|
|
|
|
|
|
.methods
|
|
|
|
|
|
.get(&method)
|
2020-01-30 10:21:02 +01:00
|
|
|
|
.map(|_| ())
|
2020-09-12 01:52:55 +02:00
|
|
|
|
.ok_or(CorsError::MethodNotAllowed);
|
2019-03-24 05:29:16 +01:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
Err(CorsError::BadRequestMethod)
|
|
|
|
|
|
} else {
|
|
|
|
|
|
Err(CorsError::MissingRequestMethod)
|
2018-04-10 06:11:15 +02:00
|
|
|
|
}
|
2019-03-24 05:29:16 +01:00
|
|
|
|
}
|
2018-04-10 06:11:15 +02:00
|
|
|
|
|
2019-03-24 05:29:16 +01:00
|
|
|
|
fn validate_allowed_headers(&self, req: &RequestHead) -> Result<(), CorsError> {
|
|
|
|
|
|
match self.headers {
|
|
|
|
|
|
AllOrSome::All => Ok(()),
|
|
|
|
|
|
AllOrSome::Some(ref allowed_headers) => {
|
|
|
|
|
|
if let Some(hdr) =
|
2019-04-07 00:02:02 +02:00
|
|
|
|
req.headers().get(&header::ACCESS_CONTROL_REQUEST_HEADERS)
|
2019-03-24 05:29:16 +01:00
|
|
|
|
{
|
|
|
|
|
|
if let Ok(headers) = hdr.to_str() {
|
2020-01-30 10:21:02 +01:00
|
|
|
|
#[allow(clippy::mutable_key_type)] // FIXME: revisit here
|
2019-03-24 05:29:16 +01:00
|
|
|
|
let mut hdrs = HashSet::new();
|
|
|
|
|
|
for hdr in headers.split(',') {
|
2020-09-26 21:02:45 +02:00
|
|
|
|
match hdr.trim().try_into() {
|
2019-03-24 05:29:16 +01:00
|
|
|
|
Ok(hdr) => hdrs.insert(hdr),
|
|
|
|
|
|
Err(_) => return Err(CorsError::BadRequestHeaders),
|
|
|
|
|
|
};
|
|
|
|
|
|
}
|
2019-05-04 17:41:37 +02:00
|
|
|
|
// `Access-Control-Request-Headers` must contain 1 or more
|
|
|
|
|
|
// `field-name`.
|
|
|
|
|
|
if !hdrs.is_empty() {
|
|
|
|
|
|
if !hdrs.is_subset(allowed_headers) {
|
|
|
|
|
|
return Err(CorsError::HeadersNotAllowed);
|
|
|
|
|
|
}
|
|
|
|
|
|
return Ok(());
|
2019-03-24 05:29:16 +01:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
Err(CorsError::BadRequestHeaders)
|
|
|
|
|
|
} else {
|
2019-07-17 11:48:37 +02:00
|
|
|
|
Ok(())
|
2019-03-24 05:29:16 +01:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2018-04-10 06:11:15 +02:00
|
|
|
|
}
|
2018-01-10 22:41:33 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
2019-04-13 23:50:54 +02:00
|
|
|
|
impl<S, B> Service for CorsMiddleware<S>
|
2019-03-24 05:29:16 +01:00
|
|
|
|
where
|
2019-04-25 20:14:32 +02:00
|
|
|
|
S: Service<Request = ServiceRequest, Response = ServiceResponse<B>, Error = Error>,
|
2019-03-24 05:29:16 +01:00
|
|
|
|
S::Future: 'static,
|
|
|
|
|
|
B: 'static,
|
|
|
|
|
|
{
|
2019-04-13 23:50:54 +02:00
|
|
|
|
type Request = ServiceRequest;
|
2019-03-24 05:29:16 +01:00
|
|
|
|
type Response = ServiceResponse<B>;
|
2019-04-25 20:14:32 +02:00
|
|
|
|
type Error = Error;
|
2019-03-24 05:29:16 +01:00
|
|
|
|
type Future = Either<
|
2019-11-21 05:54:07 +01:00
|
|
|
|
Ready<Result<Self::Response, Error>>,
|
|
|
|
|
|
LocalBoxFuture<'static, Result<Self::Response, Error>>,
|
2019-03-24 05:29:16 +01:00
|
|
|
|
>;
|
|
|
|
|
|
|
2020-09-11 17:26:15 +02:00
|
|
|
|
fn poll_ready(&mut self, cx: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
|
2019-11-21 05:54:07 +01:00
|
|
|
|
self.service.poll_ready(cx)
|
2019-03-24 05:29:16 +01:00
|
|
|
|
}
|
2018-01-10 22:41:33 +01:00
|
|
|
|
|
2019-04-13 23:50:54 +02:00
|
|
|
|
fn call(&mut self, req: ServiceRequest) -> Self::Future {
|
2019-03-24 05:29:16 +01:00
|
|
|
|
if self.inner.preflight && Method::OPTIONS == *req.method() {
|
|
|
|
|
|
if let Err(e) = self
|
|
|
|
|
|
.inner
|
2019-04-02 22:35:01 +02:00
|
|
|
|
.validate_origin(req.head())
|
|
|
|
|
|
.and_then(|_| self.inner.validate_allowed_method(req.head()))
|
|
|
|
|
|
.and_then(|_| self.inner.validate_allowed_headers(req.head()))
|
2019-03-24 05:29:16 +01:00
|
|
|
|
{
|
2019-11-21 05:54:07 +01:00
|
|
|
|
return Either::Left(ok(req.error_response(e)));
|
2018-01-10 22:41:33 +01:00
|
|
|
|
}
|
2019-03-24 05:29:16 +01:00
|
|
|
|
|
|
|
|
|
|
// allowed headers
|
|
|
|
|
|
let headers = if let Some(headers) = self.inner.headers.as_ref() {
|
|
|
|
|
|
Some(
|
2020-09-26 21:02:45 +02:00
|
|
|
|
headers
|
|
|
|
|
|
.iter()
|
|
|
|
|
|
.fold(String::new(), |s, v| s + "," + v.as_str())
|
|
|
|
|
|
.as_str()[1..]
|
|
|
|
|
|
.try_into()
|
|
|
|
|
|
.unwrap(),
|
2019-03-24 05:29:16 +01:00
|
|
|
|
)
|
|
|
|
|
|
} else if let Some(hdr) =
|
2019-04-07 00:02:02 +02:00
|
|
|
|
req.headers().get(&header::ACCESS_CONTROL_REQUEST_HEADERS)
|
2019-03-24 05:29:16 +01:00
|
|
|
|
{
|
|
|
|
|
|
Some(hdr.clone())
|
|
|
|
|
|
} else {
|
|
|
|
|
|
None
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
let res = HttpResponse::Ok()
|
|
|
|
|
|
.if_some(self.inner.max_age.as_ref(), |max_age, resp| {
|
|
|
|
|
|
let _ = resp.header(
|
|
|
|
|
|
header::ACCESS_CONTROL_MAX_AGE,
|
|
|
|
|
|
format!("{}", max_age).as_str(),
|
|
|
|
|
|
);
|
|
|
|
|
|
})
|
|
|
|
|
|
.if_some(headers, |headers, resp| {
|
|
|
|
|
|
let _ = resp.header(header::ACCESS_CONTROL_ALLOW_HEADERS, headers);
|
|
|
|
|
|
})
|
|
|
|
|
|
.if_some(
|
2019-04-02 22:35:01 +02:00
|
|
|
|
self.inner.access_control_allow_origin(req.head()),
|
2019-03-24 05:29:16 +01:00
|
|
|
|
|origin, resp| {
|
|
|
|
|
|
let _ = resp.header(header::ACCESS_CONTROL_ALLOW_ORIGIN, origin);
|
|
|
|
|
|
},
|
|
|
|
|
|
)
|
|
|
|
|
|
.if_true(self.inner.supports_credentials, |resp| {
|
|
|
|
|
|
resp.header(header::ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
|
|
|
|
|
|
})
|
|
|
|
|
|
.header(
|
|
|
|
|
|
header::ACCESS_CONTROL_ALLOW_METHODS,
|
|
|
|
|
|
&self
|
|
|
|
|
|
.inner
|
|
|
|
|
|
.methods
|
|
|
|
|
|
.iter()
|
|
|
|
|
|
.fold(String::new(), |s, v| s + "," + v.as_str())
|
|
|
|
|
|
.as_str()[1..],
|
|
|
|
|
|
)
|
|
|
|
|
|
.finish()
|
|
|
|
|
|
.into_body();
|
|
|
|
|
|
|
2019-11-21 05:54:07 +01:00
|
|
|
|
Either::Left(ok(req.into_response(res)))
|
|
|
|
|
|
} else {
|
|
|
|
|
|
if req.headers().contains_key(&header::ORIGIN) {
|
|
|
|
|
|
// Only check requests with a origin header.
|
|
|
|
|
|
if let Err(e) = self.inner.validate_origin(req.head()) {
|
|
|
|
|
|
return Either::Left(ok(req.error_response(e)));
|
|
|
|
|
|
}
|
2018-01-10 22:41:33 +01:00
|
|
|
|
}
|
2019-03-24 05:29:16 +01:00
|
|
|
|
|
|
|
|
|
|
let inner = self.inner.clone();
|
2019-11-21 05:54:07 +01:00
|
|
|
|
let has_origin = req.headers().contains_key(&header::ORIGIN);
|
|
|
|
|
|
let fut = self.service.call(req);
|
|
|
|
|
|
|
|
|
|
|
|
Either::Right(
|
|
|
|
|
|
async move {
|
|
|
|
|
|
let res = fut.await;
|
|
|
|
|
|
|
|
|
|
|
|
if has_origin {
|
|
|
|
|
|
let mut res = res?;
|
|
|
|
|
|
if let Some(origin) =
|
|
|
|
|
|
inner.access_control_allow_origin(res.request().head())
|
|
|
|
|
|
{
|
2020-03-11 21:48:57 +01:00
|
|
|
|
res.headers_mut()
|
|
|
|
|
|
.insert(header::ACCESS_CONTROL_ALLOW_ORIGIN, origin);
|
2019-11-21 05:54:07 +01:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
if let Some(ref expose) = inner.expose_hdrs {
|
|
|
|
|
|
res.headers_mut().insert(
|
|
|
|
|
|
header::ACCESS_CONTROL_EXPOSE_HEADERS,
|
2020-09-26 21:02:45 +02:00
|
|
|
|
expose.as_str().try_into().unwrap(),
|
2019-11-21 05:54:07 +01:00
|
|
|
|
);
|
|
|
|
|
|
}
|
|
|
|
|
|
if inner.supports_credentials {
|
|
|
|
|
|
res.headers_mut().insert(
|
|
|
|
|
|
header::ACCESS_CONTROL_ALLOW_CREDENTIALS,
|
|
|
|
|
|
HeaderValue::from_static("true"),
|
|
|
|
|
|
);
|
|
|
|
|
|
}
|
|
|
|
|
|
if inner.vary_header {
|
|
|
|
|
|
let value = if let Some(hdr) =
|
|
|
|
|
|
res.headers_mut().get(&header::VARY)
|
|
|
|
|
|
{
|
2019-03-24 05:29:16 +01:00
|
|
|
|
let mut val: Vec<u8> =
|
|
|
|
|
|
Vec::with_capacity(hdr.as_bytes().len() + 8);
|
|
|
|
|
|
val.extend(hdr.as_bytes());
|
|
|
|
|
|
val.extend(b", Origin");
|
2020-09-26 21:02:45 +02:00
|
|
|
|
val.try_into().unwrap()
|
2019-03-24 05:29:16 +01:00
|
|
|
|
} else {
|
|
|
|
|
|
HeaderValue::from_static("Origin")
|
|
|
|
|
|
};
|
2019-11-21 05:54:07 +01:00
|
|
|
|
res.headers_mut().insert(header::VARY, value);
|
|
|
|
|
|
}
|
|
|
|
|
|
Ok(res)
|
|
|
|
|
|
} else {
|
|
|
|
|
|
res
|
2019-03-24 05:29:16 +01:00
|
|
|
|
}
|
2019-11-21 05:54:07 +01:00
|
|
|
|
}
|
2019-12-25 17:13:52 +01:00
|
|
|
|
.boxed_local(),
|
2019-11-21 05:54:07 +01:00
|
|
|
|
)
|
2018-01-10 22:41:33 +01:00
|
|
|
|
}
|
|
|
|
|
|
}
|
2019-03-24 05:29:16 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
#[cfg(test)]
|
|
|
|
|
|
mod tests {
|
2019-12-08 14:25:24 +01:00
|
|
|
|
use actix_service::{fn_service, Transform};
|
2019-11-26 06:25:50 +01:00
|
|
|
|
use actix_web::test::{self, TestRequest};
|
2020-09-26 21:02:45 +02:00
|
|
|
|
use std::convert::Infallible;
|
2019-03-24 05:29:16 +01:00
|
|
|
|
|
|
|
|
|
|
use super::*;
|
2020-10-07 12:29:20 +02:00
|
|
|
|
use regex::bytes::Regex;
|
2019-03-24 05:29:16 +01:00
|
|
|
|
|
2020-09-26 21:02:45 +02:00
|
|
|
|
#[actix_rt::test]
|
|
|
|
|
|
async fn allowed_header_tryfrom() {
|
|
|
|
|
|
let _cors = Cors::new().allowed_header("Content-Type");
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
#[actix_rt::test]
|
|
|
|
|
|
async fn allowed_header_tryinto() {
|
|
|
|
|
|
struct ContentType;
|
|
|
|
|
|
|
|
|
|
|
|
impl TryInto<HeaderName> for ContentType {
|
|
|
|
|
|
type Error = Infallible;
|
|
|
|
|
|
|
|
|
|
|
|
fn try_into(self) -> Result<HeaderName, Self::Error> {
|
|
|
|
|
|
Ok(HeaderName::from_static("content-type"))
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
let _cors = Cors::new().allowed_header(ContentType);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2019-11-26 06:25:50 +01:00
|
|
|
|
#[actix_rt::test]
|
2018-04-09 23:20:12 +02:00
|
|
|
|
#[should_panic(expected = "Credentials are allowed, but the Origin is set to")]
|
2019-11-26 06:25:50 +01:00
|
|
|
|
async fn cors_validates_illegal_allow_credentials() {
|
2019-11-21 05:54:07 +01:00
|
|
|
|
let _cors = Cors::new().supports_credentials().send_wildcard().finish();
|
2018-04-10 06:11:15 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
2019-11-26 06:25:50 +01:00
|
|
|
|
#[actix_rt::test]
|
|
|
|
|
|
async fn validate_origin_allows_all_origins() {
|
|
|
|
|
|
let mut cors = Cors::new()
|
|
|
|
|
|
.finish()
|
|
|
|
|
|
.new_transform(test::ok_service())
|
|
|
|
|
|
.await
|
|
|
|
|
|
.unwrap();
|
|
|
|
|
|
let req = TestRequest::with_header("Origin", "https://www.example.com")
|
|
|
|
|
|
.to_srv_request();
|
|
|
|
|
|
|
|
|
|
|
|
let resp = test::call_service(&mut cors, req).await;
|
|
|
|
|
|
assert_eq!(resp.status(), StatusCode::OK);
|
2018-01-10 22:41:33 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
2019-11-26 06:25:50 +01:00
|
|
|
|
#[actix_rt::test]
|
|
|
|
|
|
async fn default() {
|
|
|
|
|
|
let mut cors = Cors::default()
|
|
|
|
|
|
.new_transform(test::ok_service())
|
|
|
|
|
|
.await
|
|
|
|
|
|
.unwrap();
|
|
|
|
|
|
let req = TestRequest::with_header("Origin", "https://www.example.com")
|
|
|
|
|
|
.to_srv_request();
|
|
|
|
|
|
|
|
|
|
|
|
let resp = test::call_service(&mut cors, req).await;
|
|
|
|
|
|
assert_eq!(resp.status(), StatusCode::OK);
|
2019-04-15 05:20:33 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
2019-11-26 06:25:50 +01:00
|
|
|
|
#[actix_rt::test]
|
|
|
|
|
|
async fn test_preflight() {
|
|
|
|
|
|
let mut cors = Cors::new()
|
|
|
|
|
|
.send_wildcard()
|
|
|
|
|
|
.max_age(3600)
|
|
|
|
|
|
.allowed_methods(vec![Method::GET, Method::OPTIONS, Method::POST])
|
|
|
|
|
|
.allowed_headers(vec![header::AUTHORIZATION, header::ACCEPT])
|
|
|
|
|
|
.allowed_header(header::CONTENT_TYPE)
|
|
|
|
|
|
.finish()
|
|
|
|
|
|
.new_transform(test::ok_service())
|
|
|
|
|
|
.await
|
|
|
|
|
|
.unwrap();
|
|
|
|
|
|
|
|
|
|
|
|
let req = TestRequest::with_header("Origin", "https://www.example.com")
|
|
|
|
|
|
.method(Method::OPTIONS)
|
|
|
|
|
|
.header(header::ACCESS_CONTROL_REQUEST_HEADERS, "X-Not-Allowed")
|
|
|
|
|
|
.to_srv_request();
|
|
|
|
|
|
|
|
|
|
|
|
assert!(cors.inner.validate_allowed_method(req.head()).is_err());
|
|
|
|
|
|
assert!(cors.inner.validate_allowed_headers(req.head()).is_err());
|
|
|
|
|
|
let resp = test::call_service(&mut cors, req).await;
|
|
|
|
|
|
assert_eq!(resp.status(), StatusCode::BAD_REQUEST);
|
|
|
|
|
|
|
|
|
|
|
|
let req = TestRequest::with_header("Origin", "https://www.example.com")
|
|
|
|
|
|
.header(header::ACCESS_CONTROL_REQUEST_METHOD, "put")
|
|
|
|
|
|
.method(Method::OPTIONS)
|
|
|
|
|
|
.to_srv_request();
|
|
|
|
|
|
|
|
|
|
|
|
assert!(cors.inner.validate_allowed_method(req.head()).is_err());
|
|
|
|
|
|
assert!(cors.inner.validate_allowed_headers(req.head()).is_ok());
|
|
|
|
|
|
|
|
|
|
|
|
let req = TestRequest::with_header("Origin", "https://www.example.com")
|
|
|
|
|
|
.header(header::ACCESS_CONTROL_REQUEST_METHOD, "POST")
|
|
|
|
|
|
.header(
|
|
|
|
|
|
header::ACCESS_CONTROL_REQUEST_HEADERS,
|
|
|
|
|
|
"AUTHORIZATION,ACCEPT",
|
|
|
|
|
|
)
|
|
|
|
|
|
.method(Method::OPTIONS)
|
|
|
|
|
|
.to_srv_request();
|
|
|
|
|
|
|
|
|
|
|
|
let resp = test::call_service(&mut cors, req).await;
|
|
|
|
|
|
assert_eq!(
|
|
|
|
|
|
&b"*"[..],
|
|
|
|
|
|
resp.headers()
|
|
|
|
|
|
.get(&header::ACCESS_CONTROL_ALLOW_ORIGIN)
|
2018-04-29 18:09:08 +02:00
|
|
|
|
.unwrap()
|
2019-11-26 06:25:50 +01:00
|
|
|
|
.as_bytes()
|
|
|
|
|
|
);
|
|
|
|
|
|
assert_eq!(
|
|
|
|
|
|
&b"3600"[..],
|
|
|
|
|
|
resp.headers()
|
|
|
|
|
|
.get(&header::ACCESS_CONTROL_MAX_AGE)
|
2018-04-29 18:09:08 +02:00
|
|
|
|
.unwrap()
|
2019-11-26 06:25:50 +01:00
|
|
|
|
.as_bytes()
|
|
|
|
|
|
);
|
|
|
|
|
|
let hdr = resp
|
|
|
|
|
|
.headers()
|
|
|
|
|
|
.get(&header::ACCESS_CONTROL_ALLOW_HEADERS)
|
|
|
|
|
|
.unwrap()
|
|
|
|
|
|
.to_str()
|
|
|
|
|
|
.unwrap();
|
|
|
|
|
|
assert!(hdr.contains("authorization"));
|
|
|
|
|
|
assert!(hdr.contains("accept"));
|
|
|
|
|
|
assert!(hdr.contains("content-type"));
|
|
|
|
|
|
|
|
|
|
|
|
let methods = resp
|
|
|
|
|
|
.headers()
|
|
|
|
|
|
.get(header::ACCESS_CONTROL_ALLOW_METHODS)
|
|
|
|
|
|
.unwrap()
|
|
|
|
|
|
.to_str()
|
|
|
|
|
|
.unwrap();
|
|
|
|
|
|
assert!(methods.contains("POST"));
|
|
|
|
|
|
assert!(methods.contains("GET"));
|
|
|
|
|
|
assert!(methods.contains("OPTIONS"));
|
|
|
|
|
|
|
|
|
|
|
|
Rc::get_mut(&mut cors.inner).unwrap().preflight = false;
|
|
|
|
|
|
|
|
|
|
|
|
let req = TestRequest::with_header("Origin", "https://www.example.com")
|
|
|
|
|
|
.header(header::ACCESS_CONTROL_REQUEST_METHOD, "POST")
|
|
|
|
|
|
.header(
|
|
|
|
|
|
header::ACCESS_CONTROL_REQUEST_HEADERS,
|
|
|
|
|
|
"AUTHORIZATION,ACCEPT",
|
|
|
|
|
|
)
|
|
|
|
|
|
.method(Method::OPTIONS)
|
|
|
|
|
|
.to_srv_request();
|
2019-03-24 05:29:16 +01:00
|
|
|
|
|
2019-11-26 06:25:50 +01:00
|
|
|
|
let resp = test::call_service(&mut cors, req).await;
|
|
|
|
|
|
assert_eq!(resp.status(), StatusCode::OK);
|
2018-01-10 07:33:51 +01:00
|
|
|
|
}
|
2018-01-10 23:20:00 +01:00
|
|
|
|
|
2019-11-26 06:25:50 +01:00
|
|
|
|
// #[actix_rt::test]
|
2018-06-05 16:39:47 +02:00
|
|
|
|
// #[should_panic(expected = "MissingOrigin")]
|
2019-11-26 06:25:50 +01:00
|
|
|
|
// async fn test_validate_missing_origin() {
|
2018-06-21 19:06:23 +02:00
|
|
|
|
// let cors = Cors::build()
|
2018-06-05 16:39:47 +02:00
|
|
|
|
// .allowed_origin("https://www.example.com")
|
|
|
|
|
|
// .finish();
|
|
|
|
|
|
// let mut req = HttpRequest::default();
|
2018-06-25 06:58:04 +02:00
|
|
|
|
// cors.start(&req).unwrap();
|
2018-06-05 16:39:47 +02:00
|
|
|
|
// }
|
2018-01-10 23:56:45 +01:00
|
|
|
|
|
2019-11-26 06:25:50 +01:00
|
|
|
|
#[actix_rt::test]
|
2018-01-10 23:56:45 +01:00
|
|
|
|
#[should_panic(expected = "OriginNotAllowed")]
|
2019-11-26 06:25:50 +01:00
|
|
|
|
async fn test_validate_not_allowed_origin() {
|
|
|
|
|
|
let cors = Cors::new()
|
|
|
|
|
|
.allowed_origin("https://www.example.com")
|
|
|
|
|
|
.finish()
|
|
|
|
|
|
.new_transform(test::ok_service())
|
|
|
|
|
|
.await
|
|
|
|
|
|
.unwrap();
|
|
|
|
|
|
|
|
|
|
|
|
let req = TestRequest::with_header("Origin", "https://www.unknown.com")
|
|
|
|
|
|
.method(Method::GET)
|
|
|
|
|
|
.to_srv_request();
|
|
|
|
|
|
cors.inner.validate_origin(req.head()).unwrap();
|
|
|
|
|
|
cors.inner.validate_allowed_method(req.head()).unwrap();
|
|
|
|
|
|
cors.inner.validate_allowed_headers(req.head()).unwrap();
|
2018-01-10 23:56:45 +01:00
|
|
|
|
}
|
2018-01-10 23:20:00 +01:00
|
|
|
|
|
2019-11-26 06:25:50 +01:00
|
|
|
|
#[actix_rt::test]
|
|
|
|
|
|
async fn test_validate_origin() {
|
|
|
|
|
|
let mut cors = Cors::new()
|
|
|
|
|
|
.allowed_origin("https://www.example.com")
|
|
|
|
|
|
.finish()
|
|
|
|
|
|
.new_transform(test::ok_service())
|
|
|
|
|
|
.await
|
|
|
|
|
|
.unwrap();
|
|
|
|
|
|
|
|
|
|
|
|
let req = TestRequest::with_header("Origin", "https://www.example.com")
|
|
|
|
|
|
.method(Method::GET)
|
|
|
|
|
|
.to_srv_request();
|
|
|
|
|
|
|
|
|
|
|
|
let resp = test::call_service(&mut cors, req).await;
|
|
|
|
|
|
assert_eq!(resp.status(), StatusCode::OK);
|
2018-01-10 23:20:00 +01:00
|
|
|
|
}
|
2018-01-10 23:56:45 +01:00
|
|
|
|
|
2019-11-26 06:25:50 +01:00
|
|
|
|
#[actix_rt::test]
|
|
|
|
|
|
async fn test_no_origin_response() {
|
|
|
|
|
|
let mut cors = Cors::new()
|
|
|
|
|
|
.disable_preflight()
|
|
|
|
|
|
.finish()
|
|
|
|
|
|
.new_transform(test::ok_service())
|
|
|
|
|
|
.await
|
|
|
|
|
|
.unwrap();
|
|
|
|
|
|
|
|
|
|
|
|
let req = TestRequest::default().method(Method::GET).to_srv_request();
|
|
|
|
|
|
let resp = test::call_service(&mut cors, req).await;
|
|
|
|
|
|
assert!(resp
|
|
|
|
|
|
.headers()
|
|
|
|
|
|
.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
|
|
|
|
|
|
.is_none());
|
|
|
|
|
|
|
|
|
|
|
|
let req = TestRequest::with_header("Origin", "https://www.example.com")
|
|
|
|
|
|
.method(Method::OPTIONS)
|
|
|
|
|
|
.to_srv_request();
|
|
|
|
|
|
let resp = test::call_service(&mut cors, req).await;
|
|
|
|
|
|
assert_eq!(
|
|
|
|
|
|
&b"https://www.example.com"[..],
|
|
|
|
|
|
resp.headers()
|
2018-04-29 18:09:08 +02:00
|
|
|
|
.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
|
2019-11-26 06:25:50 +01:00
|
|
|
|
.unwrap()
|
|
|
|
|
|
.as_bytes()
|
|
|
|
|
|
);
|
2018-03-10 17:31:20 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
2019-11-26 06:25:50 +01:00
|
|
|
|
#[actix_rt::test]
|
|
|
|
|
|
async fn test_response() {
|
|
|
|
|
|
let exposed_headers = vec![header::AUTHORIZATION, header::ACCEPT];
|
|
|
|
|
|
let mut cors = Cors::new()
|
|
|
|
|
|
.send_wildcard()
|
|
|
|
|
|
.disable_preflight()
|
|
|
|
|
|
.max_age(3600)
|
|
|
|
|
|
.allowed_methods(vec![Method::GET, Method::OPTIONS, Method::POST])
|
|
|
|
|
|
.allowed_headers(exposed_headers.clone())
|
|
|
|
|
|
.expose_headers(exposed_headers.clone())
|
|
|
|
|
|
.allowed_header(header::CONTENT_TYPE)
|
|
|
|
|
|
.finish()
|
|
|
|
|
|
.new_transform(test::ok_service())
|
|
|
|
|
|
.await
|
|
|
|
|
|
.unwrap();
|
|
|
|
|
|
|
|
|
|
|
|
let req = TestRequest::with_header("Origin", "https://www.example.com")
|
|
|
|
|
|
.method(Method::OPTIONS)
|
|
|
|
|
|
.to_srv_request();
|
|
|
|
|
|
|
|
|
|
|
|
let resp = test::call_service(&mut cors, req).await;
|
|
|
|
|
|
assert_eq!(
|
|
|
|
|
|
&b"*"[..],
|
|
|
|
|
|
resp.headers()
|
|
|
|
|
|
.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
|
|
|
|
|
|
.unwrap()
|
|
|
|
|
|
.as_bytes()
|
|
|
|
|
|
);
|
|
|
|
|
|
assert_eq!(
|
|
|
|
|
|
&b"Origin"[..],
|
|
|
|
|
|
resp.headers().get(header::VARY).unwrap().as_bytes()
|
|
|
|
|
|
);
|
|
|
|
|
|
|
2020-09-28 03:04:18 +02:00
|
|
|
|
#[allow(clippy::needless_collect)]
|
2019-11-26 06:25:50 +01:00
|
|
|
|
{
|
|
|
|
|
|
let headers = resp
|
|
|
|
|
|
.headers()
|
|
|
|
|
|
.get(header::ACCESS_CONTROL_EXPOSE_HEADERS)
|
|
|
|
|
|
.unwrap()
|
|
|
|
|
|
.to_str()
|
|
|
|
|
|
.unwrap()
|
|
|
|
|
|
.split(',')
|
|
|
|
|
|
.map(|s| s.trim())
|
|
|
|
|
|
.collect::<Vec<&str>>();
|
2019-11-21 05:54:07 +01:00
|
|
|
|
|
2019-11-26 06:25:50 +01:00
|
|
|
|
for h in exposed_headers {
|
|
|
|
|
|
assert!(headers.contains(&h.as_str()));
|
2019-11-21 05:54:07 +01:00
|
|
|
|
}
|
2019-11-26 06:25:50 +01:00
|
|
|
|
}
|
2019-11-21 05:54:07 +01:00
|
|
|
|
|
2019-11-26 06:25:50 +01:00
|
|
|
|
let exposed_headers = vec![header::AUTHORIZATION, header::ACCEPT];
|
|
|
|
|
|
let mut cors = Cors::new()
|
|
|
|
|
|
.send_wildcard()
|
|
|
|
|
|
.disable_preflight()
|
|
|
|
|
|
.max_age(3600)
|
|
|
|
|
|
.allowed_methods(vec![Method::GET, Method::OPTIONS, Method::POST])
|
|
|
|
|
|
.allowed_headers(exposed_headers.clone())
|
|
|
|
|
|
.expose_headers(exposed_headers.clone())
|
|
|
|
|
|
.allowed_header(header::CONTENT_TYPE)
|
|
|
|
|
|
.finish()
|
2019-12-08 14:25:24 +01:00
|
|
|
|
.new_transform(fn_service(|req: ServiceRequest| {
|
2019-11-26 06:25:50 +01:00
|
|
|
|
ok(req.into_response(
|
|
|
|
|
|
HttpResponse::Ok().header(header::VARY, "Accept").finish(),
|
|
|
|
|
|
))
|
|
|
|
|
|
}))
|
|
|
|
|
|
.await
|
|
|
|
|
|
.unwrap();
|
|
|
|
|
|
let req = TestRequest::with_header("Origin", "https://www.example.com")
|
|
|
|
|
|
.method(Method::OPTIONS)
|
|
|
|
|
|
.to_srv_request();
|
|
|
|
|
|
let resp = test::call_service(&mut cors, req).await;
|
|
|
|
|
|
assert_eq!(
|
|
|
|
|
|
&b"Accept, Origin"[..],
|
|
|
|
|
|
resp.headers().get(header::VARY).unwrap().as_bytes()
|
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
let mut cors = Cors::new()
|
|
|
|
|
|
.disable_vary_header()
|
|
|
|
|
|
.allowed_origin("https://www.example.com")
|
|
|
|
|
|
.allowed_origin("https://www.google.com")
|
|
|
|
|
|
.finish()
|
|
|
|
|
|
.new_transform(test::ok_service())
|
|
|
|
|
|
.await
|
|
|
|
|
|
.unwrap();
|
|
|
|
|
|
|
|
|
|
|
|
let req = TestRequest::with_header("Origin", "https://www.example.com")
|
|
|
|
|
|
.method(Method::OPTIONS)
|
|
|
|
|
|
.header(header::ACCESS_CONTROL_REQUEST_METHOD, "POST")
|
|
|
|
|
|
.to_srv_request();
|
|
|
|
|
|
let resp = test::call_service(&mut cors, req).await;
|
|
|
|
|
|
|
|
|
|
|
|
let origins_str = resp
|
|
|
|
|
|
.headers()
|
|
|
|
|
|
.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
|
|
|
|
|
|
.unwrap()
|
|
|
|
|
|
.to_str()
|
|
|
|
|
|
.unwrap();
|
|
|
|
|
|
|
|
|
|
|
|
assert_eq!("https://www.example.com", origins_str);
|
|
|
|
|
|
}
|
2019-11-21 05:54:07 +01:00
|
|
|
|
|
2019-11-26 06:25:50 +01:00
|
|
|
|
#[actix_rt::test]
|
|
|
|
|
|
async fn test_multiple_origins() {
|
|
|
|
|
|
let mut cors = Cors::new()
|
|
|
|
|
|
.allowed_origin("https://example.com")
|
|
|
|
|
|
.allowed_origin("https://example.org")
|
|
|
|
|
|
.allowed_methods(vec![Method::GET])
|
|
|
|
|
|
.finish()
|
|
|
|
|
|
.new_transform(test::ok_service())
|
|
|
|
|
|
.await
|
|
|
|
|
|
.unwrap();
|
|
|
|
|
|
|
|
|
|
|
|
let req = TestRequest::with_header("Origin", "https://example.com")
|
|
|
|
|
|
.method(Method::GET)
|
|
|
|
|
|
.to_srv_request();
|
|
|
|
|
|
|
|
|
|
|
|
let resp = test::call_service(&mut cors, req).await;
|
|
|
|
|
|
assert_eq!(
|
|
|
|
|
|
&b"https://example.com"[..],
|
|
|
|
|
|
resp.headers()
|
2019-11-21 05:54:07 +01:00
|
|
|
|
.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
|
2018-08-03 14:03:11 +02:00
|
|
|
|
.unwrap()
|
2019-11-26 06:25:50 +01:00
|
|
|
|
.as_bytes()
|
|
|
|
|
|
);
|
2018-08-03 14:03:11 +02:00
|
|
|
|
|
2019-11-26 06:25:50 +01:00
|
|
|
|
let req = TestRequest::with_header("Origin", "https://example.org")
|
|
|
|
|
|
.method(Method::GET)
|
|
|
|
|
|
.to_srv_request();
|
2018-12-24 19:16:07 +01:00
|
|
|
|
|
2019-11-26 06:25:50 +01:00
|
|
|
|
let resp = test::call_service(&mut cors, req).await;
|
|
|
|
|
|
assert_eq!(
|
|
|
|
|
|
&b"https://example.org"[..],
|
|
|
|
|
|
resp.headers()
|
|
|
|
|
|
.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
|
|
|
|
|
|
.unwrap()
|
|
|
|
|
|
.as_bytes()
|
|
|
|
|
|
);
|
2018-12-24 19:16:07 +01:00
|
|
|
|
}
|
2019-03-11 05:26:54 +01:00
|
|
|
|
|
2019-11-26 06:25:50 +01:00
|
|
|
|
#[actix_rt::test]
|
|
|
|
|
|
async fn test_multiple_origins_preflight() {
|
|
|
|
|
|
let mut cors = Cors::new()
|
|
|
|
|
|
.allowed_origin("https://example.com")
|
|
|
|
|
|
.allowed_origin("https://example.org")
|
|
|
|
|
|
.allowed_methods(vec![Method::GET])
|
|
|
|
|
|
.finish()
|
|
|
|
|
|
.new_transform(test::ok_service())
|
|
|
|
|
|
.await
|
|
|
|
|
|
.unwrap();
|
|
|
|
|
|
|
|
|
|
|
|
let req = TestRequest::with_header("Origin", "https://example.com")
|
|
|
|
|
|
.header(header::ACCESS_CONTROL_REQUEST_METHOD, "GET")
|
|
|
|
|
|
.method(Method::OPTIONS)
|
|
|
|
|
|
.to_srv_request();
|
|
|
|
|
|
|
|
|
|
|
|
let resp = test::call_service(&mut cors, req).await;
|
|
|
|
|
|
assert_eq!(
|
|
|
|
|
|
&b"https://example.com"[..],
|
|
|
|
|
|
resp.headers()
|
|
|
|
|
|
.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
|
|
|
|
|
|
.unwrap()
|
|
|
|
|
|
.as_bytes()
|
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
let req = TestRequest::with_header("Origin", "https://example.org")
|
|
|
|
|
|
.header(header::ACCESS_CONTROL_REQUEST_METHOD, "GET")
|
|
|
|
|
|
.method(Method::OPTIONS)
|
|
|
|
|
|
.to_srv_request();
|
|
|
|
|
|
|
|
|
|
|
|
let resp = test::call_service(&mut cors, req).await;
|
|
|
|
|
|
assert_eq!(
|
|
|
|
|
|
&b"https://example.org"[..],
|
|
|
|
|
|
resp.headers()
|
|
|
|
|
|
.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
|
|
|
|
|
|
.unwrap()
|
|
|
|
|
|
.as_bytes()
|
|
|
|
|
|
);
|
2019-03-11 05:26:54 +01:00
|
|
|
|
}
|
2020-09-25 01:36:53 +02:00
|
|
|
|
|
|
|
|
|
|
#[actix_rt::test]
|
|
|
|
|
|
async fn test_allowed_origin_fn() {
|
|
|
|
|
|
let mut cors = Cors::new()
|
|
|
|
|
|
.allowed_origin("https://www.example.com")
|
|
|
|
|
|
.allowed_origin_fn(|req| {
|
|
|
|
|
|
req.headers
|
|
|
|
|
|
.get(header::ORIGIN)
|
|
|
|
|
|
.map(HeaderValue::as_bytes)
|
|
|
|
|
|
.filter(|b| b.ends_with(b".unknown.com"))
|
|
|
|
|
|
.is_some()
|
|
|
|
|
|
})
|
|
|
|
|
|
.finish()
|
|
|
|
|
|
.new_transform(test::ok_service())
|
|
|
|
|
|
.await
|
|
|
|
|
|
.unwrap();
|
|
|
|
|
|
|
2020-10-07 12:29:20 +02:00
|
|
|
|
{
|
|
|
|
|
|
let req = TestRequest::with_header("Origin", "https://www.example.com")
|
|
|
|
|
|
.method(Method::GET)
|
|
|
|
|
|
.to_srv_request();
|
|
|
|
|
|
|
|
|
|
|
|
let resp = test::call_service(&mut cors, req).await;
|
|
|
|
|
|
|
|
|
|
|
|
assert_eq!(
|
|
|
|
|
|
"https://www.example.com",
|
|
|
|
|
|
resp.headers()
|
|
|
|
|
|
.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
|
|
|
|
|
|
.unwrap()
|
|
|
|
|
|
.to_str()
|
|
|
|
|
|
.unwrap()
|
|
|
|
|
|
);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
let req = TestRequest::with_header("Origin", "https://www.unknown.com")
|
|
|
|
|
|
.method(Method::GET)
|
|
|
|
|
|
.to_srv_request();
|
|
|
|
|
|
|
|
|
|
|
|
let resp = test::call_service(&mut cors, req).await;
|
|
|
|
|
|
|
|
|
|
|
|
assert_eq!(
|
|
|
|
|
|
Some(&b"https://www.unknown.com"[..]),
|
|
|
|
|
|
resp.headers()
|
|
|
|
|
|
.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
|
|
|
|
|
|
.map(HeaderValue::as_bytes)
|
|
|
|
|
|
);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
#[actix_rt::test]
|
|
|
|
|
|
async fn test_allowed_origin_fn_with_environment() {
|
|
|
|
|
|
let regex = Regex::new("https:.+\\.unknown\\.com").unwrap();
|
|
|
|
|
|
let mut cors = Cors::new()
|
|
|
|
|
|
.allowed_origin("https://www.example.com")
|
|
|
|
|
|
.allowed_origin_fn(move |req| {
|
|
|
|
|
|
req.headers
|
|
|
|
|
|
.get(header::ORIGIN)
|
|
|
|
|
|
.map(HeaderValue::as_bytes)
|
|
|
|
|
|
.filter(|b| regex.is_match(b))
|
|
|
|
|
|
.is_some()
|
|
|
|
|
|
})
|
|
|
|
|
|
.finish()
|
|
|
|
|
|
.new_transform(test::ok_service())
|
|
|
|
|
|
.await
|
|
|
|
|
|
.unwrap();
|
|
|
|
|
|
|
2020-09-25 01:36:53 +02:00
|
|
|
|
{
|
|
|
|
|
|
let req = TestRequest::with_header("Origin", "https://www.example.com")
|
|
|
|
|
|
.method(Method::GET)
|
|
|
|
|
|
.to_srv_request();
|
|
|
|
|
|
|
|
|
|
|
|
let resp = test::call_service(&mut cors, req).await;
|
|
|
|
|
|
|
|
|
|
|
|
assert_eq!(
|
|
|
|
|
|
"https://www.example.com",
|
|
|
|
|
|
resp.headers()
|
|
|
|
|
|
.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
|
|
|
|
|
|
.unwrap()
|
|
|
|
|
|
.to_str()
|
|
|
|
|
|
.unwrap()
|
|
|
|
|
|
);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
let req = TestRequest::with_header("Origin", "https://www.unknown.com")
|
|
|
|
|
|
.method(Method::GET)
|
|
|
|
|
|
.to_srv_request();
|
|
|
|
|
|
|
|
|
|
|
|
let resp = test::call_service(&mut cors, req).await;
|
|
|
|
|
|
|
|
|
|
|
|
assert_eq!(
|
|
|
|
|
|
Some(&b"https://www.unknown.com"[..]),
|
|
|
|
|
|
resp.headers()
|
|
|
|
|
|
.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
|
|
|
|
|
|
.map(HeaderValue::as_bytes)
|
|
|
|
|
|
);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
#[actix_rt::test]
|
|
|
|
|
|
async fn test_not_allowed_origin_fn() {
|
|
|
|
|
|
let mut cors = Cors::new()
|
|
|
|
|
|
.allowed_origin("https://www.example.com")
|
|
|
|
|
|
.allowed_origin_fn(|req| {
|
|
|
|
|
|
req.headers
|
|
|
|
|
|
.get(header::ORIGIN)
|
|
|
|
|
|
.map(HeaderValue::as_bytes)
|
|
|
|
|
|
.filter(|b| b.ends_with(b".unknown.com"))
|
|
|
|
|
|
.is_some()
|
|
|
|
|
|
})
|
|
|
|
|
|
.finish()
|
|
|
|
|
|
.new_transform(test::ok_service())
|
|
|
|
|
|
.await
|
|
|
|
|
|
.unwrap();
|
|
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
let req = TestRequest::with_header("Origin", "https://www.example.com")
|
|
|
|
|
|
.method(Method::GET)
|
|
|
|
|
|
.to_srv_request();
|
|
|
|
|
|
|
|
|
|
|
|
let resp = test::call_service(&mut cors, req).await;
|
|
|
|
|
|
|
|
|
|
|
|
assert_eq!(
|
|
|
|
|
|
Some(&b"https://www.example.com"[..]),
|
|
|
|
|
|
resp.headers()
|
|
|
|
|
|
.get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
|
|
|
|
|
|
.map(HeaderValue::as_bytes)
|
|
|
|
|
|
);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
let req = TestRequest::with_header("Origin", "https://www.known.com")
|
|
|
|
|
|
.method(Method::GET)
|
|
|
|
|
|
.to_srv_request();
|
|
|
|
|
|
|
|
|
|
|
|
let resp = test::call_service(&mut cors, req).await;
|
|
|
|
|
|
|
|
|
|
|
|
assert_eq!(
|
|
|
|
|
|
None,
|
|
|
|
|
|
resp.headers().get(header::ACCESS_CONTROL_ALLOW_ORIGIN)
|
|
|
|
|
|
);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2018-01-10 07:33:51 +01:00
|
|
|
|
}
|
